[go: up one dir, main page]

CN108259502B - Authentication method for obtaining interface access authority, server and storage medium - Google Patents

Authentication method for obtaining interface access authority, server and storage medium Download PDF

Info

Publication number
CN108259502B
CN108259502B CN201810086667.6A CN201810086667A CN108259502B CN 108259502 B CN108259502 B CN 108259502B CN 201810086667 A CN201810086667 A CN 201810086667A CN 108259502 B CN108259502 B CN 108259502B
Authority
CN
China
Prior art keywords
random number
authentication request
server
authentication
token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810086667.6A
Other languages
Chinese (zh)
Other versions
CN108259502A (en
Inventor
段林
方奕博
巫绍堂
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Puhui Enterprise Management Co Ltd
Original Assignee
Ping An Puhui Enterprise Management Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Puhui Enterprise Management Co Ltd filed Critical Ping An Puhui Enterprise Management Co Ltd
Priority to CN201810086667.6A priority Critical patent/CN108259502B/en
Publication of CN108259502A publication Critical patent/CN108259502A/en
Application granted granted Critical
Publication of CN108259502B publication Critical patent/CN108259502B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an identification method, a server and a storage medium for acquiring interface access authority, wherein the method comprises the following steps: responding an authentication request initiated by a client, and determining request types, wherein the types are a first authentication request comprising a fixed code and a first time stamp and a second authentication request comprising a fed-back random number; when the authentication request is a first authentication request, judging whether a fixed code and a first time stamp in the request accord with a preset authentication condition; when the authentication request is a secondary authentication request, judging whether the random number in the request is matched with the random number in the dynamically updated random number sequence in the current service end; and when the fixed code and the first time stamp accord with a preset authentication condition, or when the random number in the secondary authentication request is matched with one random number in the random number sequence in the current server, and the interface access authority is determined to be successfully acquired, a token containing one random number is created based on the random number sequence, and the token is returned to the client. The invention has high authentication speed.

Description

Authentication method for obtaining interface access authority, server and storage medium
Technical Field
The present invention relates to the field of authentication, and in particular, to an authentication method, an authentication server and a computer-readable storage medium for obtaining an interface access right.
Background
With the continuous development of information security technology, the authentication technology for verifying whether a user has the right to access a server or an interface is continuously updated. At present, when a user needs to log in a server to obtain data, a user name and a password need to be registered through a login client to request for logging in during first-time logging, the password and the user name are verified after the server receives the request, and if the verification is successful, the server can sign a fixed token to the client. When the token is used subsequently, the token can be used as an authentication key to request resources from the server every time, and the access can be realized by taking the token issued by the server. However, if the person who the requester is unclear, the requester cannot acquire the token without the user name and the password, and needs to newly register the user name and the password, so that the authentication speed is slow.
Disclosure of Invention
The invention mainly aims to provide an authentication method, an authentication server and a computer readable storage medium for acquiring interface access authority, aiming at solving the technical problems that a user name and a password need to be registered at a client side during first login and the authentication speed is slow.
In order to achieve the above object, the present invention provides an authentication method for obtaining interface access rights, comprising the steps of:
the server side responds to an authentication request initiated by a client side and determines the type of the authentication request, wherein the type of the authentication request comprises a primary authentication request and a secondary authentication request; the first authentication request comprises a fixed code and a first time stamp, and the second authentication request comprises a random number fed back by a server;
when the authentication request is a first authentication request, the server side judges whether the fixed code and the first timestamp in the first authentication request accord with a preset authentication condition or not;
when the fixed code and the first timestamp accord with a preset authentication condition, the server side creates a token based on a dynamically updated random number sequence and returns the created token to the client side, wherein the token comprises a random number;
when the authentication request is a secondary authentication request, the server side judges whether the random number in the secondary authentication request sent by the client side is matched with any random number in a dynamically updated random number sequence in the current server side;
and when the random number in the secondary authentication request is matched with one random number in a dynamically updated random number sequence in the current server, determining that the interface access authority is successfully obtained, creating a token by the server based on the dynamically updated random number sequence, and returning the created token to the client, wherein the token comprises a random number.
Optionally, the number of random numbers in the dynamically updated random number sequence is a fixed preset value, each random number has a length of 18 characters and is formed by randomly combining arabic numbers and/or letters, and the server updates and replaces one random number in the random number sequence according to a preset sequence at intervals of a preset time;
the step of the server creating a token based on the dynamically updated random number sequence comprises:
the server side selects random numbers with the latest updating time from a random number sequence with a fixed number;
and the server side creates the token according to the selected random number.
Optionally, the step of the server creating the token according to the selected random number includes:
and the server side encrypts a second time stamp and the selected random number through an AES symmetric encryption algorithm to obtain the token.
Optionally, the second timestamp is a time corresponding to when the current server selects a random number whose update time is the latest.
Optionally, after the step of determining, by the server, whether the random number in the secondary authentication request sent by the client matches any random number in the dynamically updated random number sequence in the current server when the authentication request is a secondary authentication request, the method further includes:
when the random number in the secondary authentication request is not matched with any random number in the random number sequence, the server side determines that the interface access authority acquisition fails;
and the server side feeds back a reset authentication command to the client side so that the client side can reinitiate a first authentication request.
Optionally, the secondary authentication request further includes a third timestamp;
when the random number in the secondary authentication request is matched with one random number in the dynamically updated random number sequence in the current server, the step of determining that the interface access authority is successfully acquired comprises the following steps:
when the random number in the secondary authentication request is matched with one random number in the dynamically updated random number sequence in the current server, judging whether the third time stamp in the secondary authentication request is matched with a time range corresponding to the matched random number in the random number sequence;
and when the third timestamp in the secondary authentication request is matched with the time range corresponding to the matched random number in the random number sequence, determining that the interface access authority is successfully acquired.
Optionally, the step of the server determining whether the fixed code and the first timestamp in the first authentication request meet a preset authentication condition includes:
the server side judges whether the fixed code in the first authentication request is matched with a pre-stored fixed code or not;
when the fixed code in the first authentication request is matched with a pre-stored fixed code, judging whether the difference value between the first time stamp in the first authentication request and the service end time of the current service end is in a preset range; when the difference value between the first timestamp and the server time of the current server is within a preset range, the fixed code and the first timestamp accord with a preset authentication condition.
In addition, to achieve the above object, the present invention further provides an authentication server for authenticating the access right of an interface, including:
the determining module is used for responding to an authentication request initiated by a client and determining the type of the authentication request, wherein the type of the authentication request comprises a primary authentication request and a secondary authentication request; the first authentication request comprises a fixed code and a first time stamp, and the second authentication request comprises a random number fed back by a server;
the first judging module is used for judging whether the fixed code and the first timestamp in the first authentication request accord with a preset authentication condition or not when the authentication request is the first authentication request;
the first creating module is used for creating a token based on a dynamically updated random number sequence when the fixed code and the first timestamp accord with a preset authentication condition, and returning the created token to the client, wherein the token comprises a random number;
the second judging module is further configured to, when the authentication request is a secondary authentication request, judge whether the random number in the secondary authentication request sent by the client matches any random number in a dynamically updated random number sequence in the current server;
and the second creating module is used for determining that the interface access authority is successfully acquired when the random number in the secondary authentication request is matched with one random number in the dynamically updated random number sequence in the current server, and the server creates a token based on the dynamically updated random number sequence and returns the created token to the client, wherein the token comprises a random number.
In addition, in order to achieve the above object, the present invention further provides an authentication server for authenticating the access right of an interface, where the authentication server includes: a communication module, a memory, a processor and a computer program stored on the memory and executable on the processor, which computer program, when executed by the processor, carries out the steps of the authentication method for obtaining access rights to an interface as described above.
Further, to achieve the above object, the present invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the authentication method for acquiring an access right of an interface as described above.
The invention provides an authentication method for obtaining interface access authority, an authentication server and a computer readable storage medium, wherein the server responds to an authentication request initiated by a client and determines the type of the authentication request, and the type of the authentication request comprises a primary authentication request and a secondary authentication request; the first authentication request comprises a fixed code and a first time stamp, and the second authentication request comprises a random number fed back by a server; when the authentication request is a first authentication request, the server side judges whether the fixed code and the first timestamp in the first authentication request accord with a preset authentication condition or not; when the fixed code and the first timestamp accord with a preset authentication condition, the server side creates a token based on a dynamically updated random number sequence and returns the created token to the client side, wherein the token comprises a random number; when the authentication request is a secondary authentication request, the server side judges whether the random number in the secondary authentication request sent by the client side is matched with any random number in a dynamically updated random number sequence in the current server side; and when the random number in the secondary authentication request is matched with one random number in a dynamically updated random number sequence in the current server, determining that the interface access authority is successfully obtained, creating a token by the server based on the dynamically updated random number sequence, and returning the created token to the client, wherein the token comprises a random number. Therefore, a user name and a password do not need to be registered on the client to obtain the token to realize authentication, and the method is widely suitable for the condition of large-scale authentication in batches. Moreover, the process of registering the user name and the password is reduced, so that the authentication speed is improved.
Drawings
FIG. 1 is a schematic diagram of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a first embodiment of an authentication method for obtaining interface access rights according to the present invention;
fig. 3 is a detailed flowchart of step S20 in the first embodiment of the authentication method for obtaining interface access rights according to the present invention;
fig. 4 is a detailed flowchart of step S30 in the second embodiment of the authentication method for obtaining interface access rights according to the present invention;
FIG. 5 is a flowchart illustrating a third embodiment of an authentication method for obtaining interface access rights according to the present invention;
fig. 6 is a detailed flowchart of step S50 in the fourth embodiment of the authentication method for obtaining interface access rights according to the present invention;
fig. 7 is a functional block diagram of the authentication server according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic diagram of a hardware structure of an authentication server 100 according to various embodiments of the present invention, and the authentication server 100 provided in the present invention may include a communication module 10, a memory 20, a processor 30, and other components. The authentication server 100 is in communication connection with a client, and the authentication server 100 may be a separate system dedicated for authentication authorization, a server, or a monitoring data collection platform. Wherein, the processor 30 is connected to the memory 20 and the communication module 10, respectively, and the memory 20 stores thereon a computer program, which is executed by the processor 30 at the same time.
The communication module 10 may be connected to an external device through a network. The communication module 10 may receive a request from an external communication device and may broadcast an event, an instruction, and information to the external communication device. The external communication device may be a client or other server, and the client may be an electronic device such as a mobile phone, a computer, and a television. Optionally, the client may be installed with a data reporting plug-in for reporting the collected data to the authentication server 100, and may also be used to send a request, receive information, and call an interface to obtain data.
The memory 20 may be used to store software programs as well as various data. The memory 20 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program (such as authentication authority) required for at least one function, and the like; the storage data area may include a database, and the storage data area may store data or information created according to the use of the authentication server 100, and the like. Further, the memory 20 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
The processor 30, which is a control center of the authentication server 100, connects various parts of the entire authentication server 100 by using various interfaces and lines, and performs various functions and processes data of the authentication server 100 by running or executing software programs and/or modules stored in the memory 20 and calling data stored in the memory 20, thereby integrally monitoring the authentication server 100. Processor 30 may include one or more processing units; preferably, the processor 30 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 30.
Although not shown in fig. 1, the authentication server 100 may further include a circuit control module for connecting to a power supply to ensure the normal operation of other components. The authentication server 100 may further include a display module for extracting data from the memory 20 to display the front-end page and the back-end data.
Those skilled in the art will appreciate that the authentication server architecture shown in fig. 1 does not constitute a limitation of the authentication server and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.
Based on the hardware structure, various embodiments of the method of the invention are provided.
Referring to fig. 2, in a first embodiment of the authentication method for obtaining interface access rights of the present invention, the method includes the steps of:
step S10, the server side responds to the authentication request initiated by the client side and determines the type of the authentication request, wherein the type of the authentication request comprises a primary authentication request and a secondary authentication request; the first authentication request comprises a fixed code and a first time stamp, and the second authentication request comprises a random number fed back by a server;
authentication (Authentication) refers to verifying whether a user has access rights. In this embodiment, the client may initiate an authentication request when needing to acquire an interface access right, where the authentication request may be an HTTP (Hyper Text transfer Protocol) request, and the server determines a type of the authentication request after responding to the authentication request, where a method for determining the type of the authentication request may be distinguished according to content included in the authentication request, or may further set an identifier in the authentication request for distinguishing.
When the client applies for an access API (Application Programming Interface) or other server interfaces for the first time, or when the right acquisition fails after the client sends the secondary authentication request, the client may send the primary authentication request including the fixed code and the first timestamp to the server. When the client passes the authentication for the first time or the authority is successfully obtained after the client initiates the secondary authentication request, the secondary authentication request comprising the random number fed back by the server can be initiated.
Optionally, the fixed code and the first timestamp, and the random number fed back by the server may be stored in the authentication request header. It should be noted that the fixed code refers to a fixed character, and the Timestamp (Timestamp) refers to a complete and verifiable data that can indicate that a piece of data exists before a certain time, and is usually a character sequence, and uniquely identifies a time of a certain moment, and in this embodiment, the first Timestamp may refer to an occurrence time of the authentication request.
Step S20, when the authentication request is a first authentication request, the server side judges whether the fixed code and the first time stamp in the first authentication request accord with a preset authentication condition; if yes, go to step S30;
the corresponding preset authentication condition may be set according to the type of the interface, or only one preset authentication condition may be set. The process of determining the fixed code and the first timestamp in the first authentication request according to the preset authentication condition may be: firstly, whether a fixed code in a first authentication request is matched with a pre-stored fixed code stored in a memory is judged, and when the fixed code is matched with the pre-stored fixed code, whether the difference value between a first time stamp and the time of a service end of a current service end is within a preset range is verified, for example, the preset range is 3 minutes. The process of determining whether the fixed code matches with a pre-stored fixed code stored in the memory may be determining whether the fixed code is consistent with any one of a plurality of pre-stored fixed codes, and when consistent, it indicates that the fixed code matches with the pre-stored fixed code in the memory.
Referring to fig. 3, the step S20 may be:
step S21, the server side judges whether the fixed code in the first authentication request is matched with a pre-stored fixed code; if yes, go to step S22;
step S22, judging whether the difference value between the first time stamp in the first authentication request and the service end time of the current service end is in a preset range; when the difference value between the first timestamp and the server time of the current server is within a preset range, the fixed code and the first timestamp accord with a preset authentication condition.
Step S30, the server creates a token based on the dynamically updated random number sequence and returns the created token to the client, and the token contains a random number;
when the fixed code and the first time stamp in the first authentication request accord with the preset authentication condition, the first authentication is passed, the interface access authority is not released at the moment, the server side creates a token containing a random number according to the dynamically updated random number, and then the token is fed back to the client side. Further, after receiving the token, the client may also obtain a random number therein for initiating a secondary authentication request.
Optionally, the created token may be encrypted to improve security of the token during transmission, for example, the created token may be encrypted by using MD5 hash algorithm, and may also be encrypted by using salt addition encryption and asymmetric encryption algorithm. Accordingly, if the token returned by the server is encrypted, the client also needs to decrypt the returned token by using the key of the same encryption algorithm, so as to obtain the random number in the decrypted token.
Step S40, when the authentication request is a secondary authentication request, the server side judges whether the random number in the secondary authentication request sent by the client side is matched with any random number in the dynamically updated random number sequence in the current server side; if yes, go to step S50;
when the authentication request sent by the client is a secondary authentication request, the secondary authentication request comprises a random number in a token returned to the client by the server. The server judges whether the random number contained in the secondary authentication request is matched with any random number in the random number sequence dynamically updated in the current server, for example, the random number sequence of the current server is composed of N random numbers dynamically updated, a plurality of random numbers in the random number sequence are updated according to a preset sequence every M minutes, and when the random number in the secondary authentication request is the same as at least one random number in the N random numbers in the current server, the random number contained in the secondary authentication request can be considered to be matched with the random number updated in the current server; on the contrary, if the random numbers in the dynamically updated random number sequence in the server are different from the random number in the secondary authentication request, it may be considered that the random numbers in the dynamically updated random number sequence in the server are not matched with the random numbers in the secondary authentication request, because the time for sending the secondary authentication request is longer than the time for sending the authentication request in the previous time, the random numbers of the server are all updated, and at this time, the secondary authentication fails, and it may be determined that the interface access right acquisition fails.
Step S50, determining that the interface access right is successfully obtained, the server creates a token based on the dynamically updated random number sequence, and returns the created token to the client, where the token includes a random number.
When the random number in the secondary authentication request is matched with any random number in the dynamically updated random number sequence, the client and the current server are performing data interaction, and the interaction time is within the time that all the random numbers of the server need to be updated, the current verification is valid, and the interface access authority can be determined to be successfully obtained.
Compared with the method that a user name and a password are registered through a client, the fixed code and the first timestamp are used as keys for authentication verification for the first time, a registration process does not need to be submitted, and the fixed code and the timestamp can enhance the signature difficulty, so that the security and the authentication speed of the authentication are improved, and the method is suitable for large-batch authentication and does not know the situation of a requester. In addition, the token created by the server side in the secondary authentication request comprises a random number selected from the dynamically updated random number sequence, so that the token for verifying whether the interface access authority can be acquired has randomness, and the safety of interface access authority authentication is improved.
Further, please continue to refer to fig. 2, in other embodiments, when the determination result of the step S20 is that "the fixed code and the first timestamp do not meet the preset authentication condition", the step S60 is executed;
in step S60, the server determines that the interface access right acquisition fails.
When the difference value between the first time stamp in the first authentication request and the server time of the current server is not in the preset range or when the fixed code in the first authentication request is not matched with the pre-stored fixed code, the client determines that the acquisition of the interface access authority fails. Further, after determining that the acquisition of the interface right fails, monitoring whether the client initiates a new authentication request. By filtering the authentication requests which do not accord with the preset authentication conditions, the threshold of interface access is improved, and unsafe clients are eliminated.
Further, a second embodiment of the authentication method for obtaining interface access right according to the present invention is provided based on the first embodiment of the authentication method for obtaining interface access right according to the present invention, in this embodiment, the number of random numbers in the dynamically updated random number sequence is a fixed preset value, each random number is 18 characters in length and is formed by randomly combining arabic numbers and/or letters, and the server updates and replaces one random number in the random number sequence according to a preset sequence every preset time, for example, one random number in the random number sequence may be fsdddu 2fsFIO85jf 842.
Referring to fig. 4, the step S30 may include:
step S31, the server side selects the random number with the latest update time from the random number sequence with fixed quantity;
step S32, the server creates the token according to the selected random number.
A plurality of random numbers can be stored in a memory in a form of a table or a stack, and the random numbers can be placed in a random order or according to the updating time. For example, in a random number sequence consisting of several random numbers, the update time of the random number is one minute, and one random number may be updated every minute in the order from top to bottom. Assuming that the position pointed by the current arrow corresponds to the random number updated 30 seconds ago, and the update time corresponding to the last update of other random numbers exceeds 30 seconds, which may be 1 minute 30 seconds, 2 minutes 30 seconds, and so on, at this time, the random number updated corresponding to the position pointed by the current arrow is selected to be used for creating the token.
By setting a plurality of dynamically updated random numbers which are 18 characters long, composed of numbers and/or letters, and selecting the random number with the latest updating time for creating the token containing the random number, the leakage of the random numbers can be reduced, and the security of authentication can be enhanced.
Further, in other embodiments, the step S32 may further include:
and the server side encrypts a second time stamp and the selected random number through an AES symmetric encryption algorithm to obtain the token.
It should be noted that, in order to prevent the server or the client from being attacked in the request process and enable the attacker to know the generation rule of the token, the AES symmetric encryption algorithm may be used to encrypt the second timestamp and the selected random number to obtain the processed character string, so that the attacker cannot easily crack the token, and the security of the data resource is enhanced.
Optionally, the second timestamp and the selected random number may be stored in the secondary authentication request together when the client initiates the secondary authentication request, so that after the server performs the standard determination on the selected random number, it may further determine whether the second timestamp meets a time range, for example, whether the second timestamp corresponds to the update time of the random number in the current random number sequence, which is matched with the selected random number.
It should be noted that the AES (Advanced Encryption standard) symmetric Encryption algorithm refers to the specification used by the institute of national standards and technology for encrypting electronic data, and AES is an iterative, symmetric key-block cipher that can use 128, 192, and 256 keys and encrypt and decrypt data in 16-byte blocks.
Further, when the client sends the first authentication request, the fixed code and the first timestamp may be encrypted symmetrically by AES, and then the encrypted character string is sent to the client. By using the AES symmetric encryption algorithm for encryption processing, a hacker cannot know the rule of the AES symmetric encryption algorithm, and the verification safety is improved.
Further, a third embodiment of the authentication method for obtaining interface access right according to the present invention is proposed based on the first embodiment of the authentication method for obtaining interface access right according to the present invention, and referring to fig. 5, in this embodiment, when the determination result of the step S40 is that "the random number in the secondary authentication request does not match any random number in the random number sequence", the following steps are performed:
step S70, the server side determines that the interface access authority acquisition fails;
the present embodiment is further detailed with respect to the first embodiment, and compared with the first embodiment, the technical solution of the present embodiment is different in that a situation that the random number is not matched with any random number in the current random number sequence is newly added in the present embodiment.
If the random number in the secondary authentication request is not matched with any random number in the random number sequence, the time of the secondary authentication request from the previous authentication request exceeds the update time of all the random numbers in the random number sequence, the client initiating the secondary authentication request does not interact with the server within the update time, the interface access authority is overdue, or the client applying the secondary authentication per se is possibly an illegal client, and the acquisition of the interface access authority fails.
Step S80, the server feeds back a reset command to the client, so that the client can re-initiate an authentication request.
The server side can feed back a reset command to the client side after determining that the interface access authority fails to be acquired, so that the client side can initiate an authentication request again. Optionally, the client may reconfirm the fixed code and the first timestamp, or may select the fixed code and the first timestamp in the original first authentication request to initiate the authentication request.
After the secondary authentication fails, the reset command is fed back to the client, so that the client can know the authentication result in time, and the authentication speed is accelerated.
Further, a fourth embodiment of the authentication method for obtaining interface access right of the present invention is proposed based on the first embodiment of the authentication method for obtaining interface access right of the present invention, and referring to fig. 6, in this embodiment, the secondary authentication request further includes a third timestamp;
the step S50 includes:
step S51, judging whether the third time stamp in the secondary authentication request is matched with the time range corresponding to the matched random number in the random number sequence; if yes, go to step S52;
and step S52, determining that the interface access authority is successfully acquired.
In this embodiment, a timestamp may also be added to the returned secondary authentication request for verification, and only when both the random number in the secondary authentication request and the third timestamp match with the corresponding content in the server, it is determined that the interface access right is successfully acquired. The third timestamp may be the second timestamp when the token is created, or may be the occurrence time of the secondary authentication request.
It should be noted that there may also be an association relationship between the contents corresponding to the random number in the secondary authentication request and the third timestamp in the server, that is, the random number matched in the random number sequence of the server corresponds to a certain time range. And the safety of interface authority acquisition is improved through the corresponding verification of the third timestamp.
The present invention further provides an authentication server for authenticating the access right of the interface, referring to fig. 7, including:
a determining module 10, configured to respond to an authentication request initiated by a client, and determine a type of the authentication request, where the type of the authentication request includes a first authentication request and a second authentication request; the first authentication request comprises a fixed code and a first time stamp, and the second authentication request comprises a random number fed back by a server;
a first judging module 20, configured to, when the authentication request is a first authentication request, judge whether the fixed code and the first timestamp in the first authentication request meet a preset authentication condition;
a first creating module 30, configured to create a token based on a dynamically updated random number sequence when the fixed code and the first timestamp meet a preset authentication condition, and return the created token to the client, where the token includes a random number;
the second determining module 40 is further configured to determine, when the authentication request is a secondary authentication request, whether the random number in the secondary authentication request sent by the client matches any random number in a dynamically updated random number sequence in the current server;
a second creating module 50, configured to determine that the interface access right is successfully obtained when the random number in the secondary authentication request matches one random number in a dynamically updated random number sequence in the current server, where the server creates a token based on the dynamically updated random number sequence, and returns the created token to the client, where the token includes a random number.
In another embodiment, the number of random numbers in the dynamically updated random number sequence is a fixed preset value, each random number has a length of 18 characters and is formed by randomly combining arabic numbers and/or letters, and the server updates and replaces one random number in the random number sequence according to a preset sequence at intervals of preset time;
the first creating module 30 includes:
a selecting unit 31 for selecting a random number whose update time is the latest from a fixed number of random number sequences;
a creating unit 32 configured to create the token according to the selected random number.
In a further embodiment, the creating unit 32 is further configured to encrypt the second timestamp and the selected random number by an AES symmetric encryption algorithm to obtain the token.
In another embodiment, the second timestamp is a time corresponding to a random number whose update time is the latest when the current server selects the random number.
In another embodiment, the authentication server further includes a feedback module 60:
the determining module 10 is further configured to determine that the interface access right acquisition fails when the random number in the secondary authentication request does not match any random number in the random number sequence;
the feedback module 60 is configured to feed back a reset authentication command to the client, so that the client re-initiates the first authentication request.
In yet another embodiment, the secondary authentication request further comprises a third timestamp;
the second creating module 50 includes:
a first judging unit 51, configured to, when the random number in the secondary authentication request matches one random number in a dynamically updated random number sequence in the current server, judge whether the third timestamp in the secondary authentication request matches a time range corresponding to the matched random number in the random number sequence;
the determining unit 52 is configured to determine that the interface access right is successfully acquired when the third timestamp in the secondary authentication request matches a time range corresponding to a matched random number in a random number sequence.
In another embodiment, the first determining module 20 includes:
a second judging unit 21, configured to judge whether the fixed code in the first authentication request matches a pre-stored fixed code;
a third determining unit 22, configured to determine whether a difference between the first timestamp in the first authentication request and a server time of the current server is within a preset range when the fixed code in the first authentication request matches a pre-stored fixed code; when the difference value between the first timestamp and the server time of the current server is within a preset range, the fixed code and the first timestamp accord with a preset authentication condition.
The present invention also proposes a computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out all the steps of the authentication method for obtaining access rights to an interface as described above.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or server that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or server. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or service that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. An authentication method for obtaining interface access rights, comprising the steps of:
the server side responds to an authentication request initiated by a client side and determines the type of the authentication request, wherein the type of the authentication request comprises a primary authentication request and a secondary authentication request; the first authentication request comprises a fixed code and a first time stamp, and the second authentication request comprises a random number fed back by a server;
when the authentication request is a first authentication request, the server side judges whether the fixed code and the first timestamp in the first authentication request accord with a preset authentication condition or not;
when the fixed code and the first timestamp accord with a preset authentication condition, the server side creates a token based on a dynamically updated random number sequence and returns the created token to the client side, wherein the token comprises a random number;
when the authentication request is a secondary authentication request, the server side judges whether the random number in the secondary authentication request sent by the client side is matched with any random number in a dynamically updated random number sequence in the current server side;
and when the random number in the secondary authentication request is matched with one random number in a dynamically updated random number sequence in the current server, determining that the interface access authority is successfully obtained, creating a token by the server based on the dynamically updated random number sequence, and returning the created token to the client, wherein the token comprises a random number.
2. The authentication method for obtaining interface access rights according to claim 1, wherein the number of the random numbers in the dynamically updated random number sequence is a fixed preset value, each random number has a length of 18 characters and is formed by randomly combining arabic numerals and/or letters, and the server updates and replaces one random number in the random number sequence according to a preset sequence at every preset time interval;
the step of the server creating a token based on the dynamically updated random number sequence comprises:
the server side selects random numbers with the latest updating time from a random number sequence with a fixed number;
and the server side creates the token according to the selected random number.
3. The authentication method for obtaining interface access right according to claim 2, wherein the step of the server side creating the token according to the selected random number comprises:
and the server side encrypts a second time stamp and the selected random number through an AES symmetric encryption algorithm to obtain the token.
4. The authentication method for obtaining interface access right according to claim 3, wherein the second timestamp is a time corresponding to a random number whose update time is the latest when the current server selects the random number.
5. The authentication method for obtaining interface access rights according to claim 1, wherein after the step of the server determining whether the random number in the secondary authentication request sent by the client matches any random number in the dynamically updated random number sequence in the current server when the authentication request is a secondary authentication request, the method further comprises:
when the random number in the secondary authentication request is not matched with any random number in the random number sequence, the server side determines that the interface access authority acquisition fails;
and the server side feeds back a reset authentication command to the client side so that the client side can reinitiate a first authentication request.
6. An authentication method for obtaining interface access rights according to claim 1, wherein said secondary authentication request further comprises a third timestamp;
the step of determining that the interface access authority is successfully acquired when the random number in the secondary authentication request is matched with one random number in a dynamically updated random number sequence in the current server comprises:
when the random number in the secondary authentication request is matched with one random number in the dynamically updated random number sequence in the current server, judging whether the third time stamp in the secondary authentication request is matched with a time range corresponding to the matched random number in the random number sequence;
and when the third timestamp in the secondary authentication request is matched with the time range corresponding to the matched random number in the random number sequence, determining that the interface access authority is successfully acquired.
7. The authentication method for obtaining interface access right according to claim 1, wherein the step of the server side determining whether the fixed code and the first timestamp in the first authentication request satisfy a preset authentication condition includes:
the server side judges whether the fixed code in the first authentication request is matched with a pre-stored fixed code or not;
when the fixed code in the first authentication request is matched with a pre-stored fixed code, judging whether the difference value between the first time stamp in the first authentication request and the service end time of the current service end is in a preset range; when the difference value between the first timestamp and the server time of the current server is within a preset range, the fixed code and the first timestamp accord with a preset authentication condition.
8. An authentication server for authenticating the access right of an interface, comprising:
the determining module is used for responding to an authentication request initiated by a client and determining the type of the authentication request, wherein the type of the authentication request comprises a primary authentication request and a secondary authentication request; the first authentication request comprises a fixed code and a first time stamp, and the second authentication request comprises a random number fed back by a server;
the first judging module is used for judging whether the fixed code and the first timestamp in the first authentication request accord with a preset authentication condition or not when the authentication request is the first authentication request;
the first creating module is used for creating a token based on a dynamically updated random number sequence when the fixed code and the first timestamp accord with a preset authentication condition, and returning the created token to the client, wherein the token comprises a random number;
the second judging module is further configured to, when the authentication request is a secondary authentication request, judge whether the random number in the secondary authentication request sent by the client matches any random number in a dynamically updated random number sequence in the current server;
and the second creating module is used for determining that the interface access authority is successfully acquired when the random number in the secondary authentication request is matched with one random number in the dynamically updated random number sequence in the current server, and the server creates a token based on the dynamically updated random number sequence and returns the created token to the client, wherein the token comprises a random number.
9. An authentication server for authenticating the access right of an interface, the authentication server comprising: communication module, memory, processor and computer program stored on the memory and executable on the processor, which computer program, when executed by the processor, carries out the steps of the authentication method for obtaining interface access rights according to any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the authentication method for obtaining interface access rights according to any one of claims 1 to 7.
CN201810086667.6A 2018-01-29 2018-01-29 Authentication method for obtaining interface access authority, server and storage medium Active CN108259502B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810086667.6A CN108259502B (en) 2018-01-29 2018-01-29 Authentication method for obtaining interface access authority, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810086667.6A CN108259502B (en) 2018-01-29 2018-01-29 Authentication method for obtaining interface access authority, server and storage medium

Publications (2)

Publication Number Publication Date
CN108259502A CN108259502A (en) 2018-07-06
CN108259502B true CN108259502B (en) 2020-12-04

Family

ID=62743609

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810086667.6A Active CN108259502B (en) 2018-01-29 2018-01-29 Authentication method for obtaining interface access authority, server and storage medium

Country Status (1)

Country Link
CN (1) CN108259502B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11044244B2 (en) 2018-09-18 2021-06-22 Allstate Insurance Company Authenticating devices via one or more pseudorandom sequences and one or more tokens
CN109639629B (en) * 2018-10-30 2023-04-18 平安科技(深圳)有限公司 Data access processing method and device, computer equipment and storage medium
CN110224974B (en) * 2019-04-26 2022-08-30 平安科技(深圳)有限公司 Interface authentication method based on third party access and related equipment
CN110263574B (en) * 2019-06-06 2024-08-27 深圳前海微众银行股份有限公司 Data management method, device, system and readable storage medium
CN110708291B (en) * 2019-09-10 2022-09-02 平安普惠企业管理有限公司 Data authorization access method, device, medium and electronic equipment in distributed network
CN110719288A (en) * 2019-10-12 2020-01-21 深圳市道通科技股份有限公司 Cloud service access method, cloud server and terminal
CN111259445B (en) * 2020-01-16 2022-04-19 深圳市元征科技股份有限公司 Database platform access method, device, equipment and medium
CN112016082B (en) * 2020-10-26 2021-01-22 成都掌控者网络科技有限公司 Authority list safety control method
CN112398824B (en) * 2020-11-03 2021-12-14 珠海格力电器股份有限公司 Authority verification method, storage medium and electronic equipment
CN112699350B (en) * 2020-12-30 2024-02-27 中国邮政储蓄银行股份有限公司 Login verification method and device
CN113505397B (en) * 2021-07-27 2025-01-10 中国工商银行股份有限公司 Authorization method, server, system and storage medium
CN117650950B (en) * 2024-01-30 2024-04-19 浙江省电子信息产品检验研究院(浙江省信息化和工业化融合促进中心) Secure communication method and apparatus

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546532A (en) * 2010-12-07 2012-07-04 中国移动通信集团公司 Capacity calling method, capacity calling request device, capacity calling platform and capacity calling system
CN104052602A (en) * 2013-03-16 2014-09-17 国际商业机器公司 Prevention of password leakage with single sign on in conjunction with command line interfaces
CN105634743A (en) * 2015-12-30 2016-06-01 中国银联股份有限公司 Authentication method used for open interface calling
CN106302346A (en) * 2015-05-27 2017-01-04 阿里巴巴集团控股有限公司 The safety certifying method of API Calls, device, system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI115098B (en) * 2000-12-27 2005-02-28 Nokia Corp Authentication in data communication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546532A (en) * 2010-12-07 2012-07-04 中国移动通信集团公司 Capacity calling method, capacity calling request device, capacity calling platform and capacity calling system
CN104052602A (en) * 2013-03-16 2014-09-17 国际商业机器公司 Prevention of password leakage with single sign on in conjunction with command line interfaces
CN106302346A (en) * 2015-05-27 2017-01-04 阿里巴巴集团控股有限公司 The safety certifying method of API Calls, device, system
CN105634743A (en) * 2015-12-30 2016-06-01 中国银联股份有限公司 Authentication method used for open interface calling

Also Published As

Publication number Publication date
CN108259502A (en) 2018-07-06

Similar Documents

Publication Publication Date Title
CN108259502B (en) Authentication method for obtaining interface access authority, server and storage medium
CN108200050B (en) Single sign-on server, method and computer readable storage medium
US20220191016A1 (en) Methods, apparatuses, and computer program products for frictionless electronic signature management
CN108965222B (en) Identity authentication method, system and computer readable storage medium
EP3346660B1 (en) Authentication information update method and device
CN106790156B (en) Intelligent device binding method and device
EP3724798B1 (en) Method for authenticating a user based on an image relation rule and corresponding first user device, server and system
CN109039987A (en) A kind of user account login method, device, electronic equipment and storage medium
AU2014262138A1 (en) User authentication
KR102137122B1 (en) Security check method, device, terminal and server
CN106034123A (en) Authentication method, application system server and client
CN112559993A (en) Identity authentication method, device and system and electronic equipment
KR102372503B1 (en) Method for providing authentification service by using decentralized identity and server using the same
CN112333133B (en) Data security transmission method, device, equipment and computer readable storage medium
CN111800426A (en) Method, device, equipment and medium for accessing native code interface in application program
KR102421567B1 (en) Internet access management service server capable of providing internet access management service based on terminal grouping and operating method thereof
CN106612265A (en) Instant messaging method and server
CN108965335B (en) Method for preventing malicious access to login interface, electronic device and computer medium
CN105100030B (en) Access control method, system and device
CN108667800B (en) Access authority authentication method and device
CN105577606B (en) A kind of method and apparatus for realizing authenticator registration
WO2007060016A2 (en) Self provisioning token
KR20130085492A (en) Authentication system and method by use of non-fixed user id
CN111327561A (en) Authentication method, system, authentication server, and computer-readable storage medium
CN115567271B (en) Authentication method and device, page skip method and device, electronic equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant